berbew | 34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355

General

Target

34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe
Size

1.6MB
MD5

f0e5b8ee40afe54f0abfc57c0c338231
SHA1

d759f9624e284b39891a9604b9c59655e8bc5bf5
SHA256

34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355
SHA512

9b921610e7440987e4c907a6f77ca5337c86c8cb0700e35ea3126d11bb37238f38b22800d4b03a495a9b1b22394c08f933ee39bc9d5aa386e2830c676ca40340
SSDEEP

12288:RCAqr/Ng1/Nblt01PBExKqClt01PBExKN4P6IfKTLR+6CwUkEoILk:Rnlksklks/6HnEpQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cddjebgb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 2 IoCs

pid	Process
2140	Cddjebgb.exe
2844	Ceegmj32.exe

Loads dropped DLL 8 IoCs

pid	Process
2296	34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe
2296	34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe
2140	Cddjebgb.exe
2140	Cddjebgb.exe
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cddjebgb.exe	34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe
File opened for modification	C:\Windows\SysWOW64\Cddjebgb.exe	34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe
File created	C:\Windows\SysWOW64\Bhdmagqq.dll	34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cddjebgb.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cddjebgb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2696	2844	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddjebgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdmagqq.dll"	34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cddjebgb.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2140	2296	34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe	28
PID 2296 wrote to memory of 2140	2296	34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe	28
PID 2296 wrote to memory of 2140	2296	34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe	28
PID 2296 wrote to memory of 2140	2296	34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe	28
PID 2140 wrote to memory of 2844	2140	Cddjebgb.exe	29
PID 2140 wrote to memory of 2844	2140	Cddjebgb.exe	29
PID 2140 wrote to memory of 2844	2140	Cddjebgb.exe	29
PID 2140 wrote to memory of 2844	2140	Cddjebgb.exe	29
PID 2844 wrote to memory of 2696	2844	Ceegmj32.exe	30
PID 2844 wrote to memory of 2696	2844	Ceegmj32.exe	30
PID 2844 wrote to memory of 2696	2844	Ceegmj32.exe	30
PID 2844 wrote to memory of 2696	2844	Ceegmj32.exe	30

C:\Users\Admin\AppData\Local\Temp\34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe
"C:\Users\Admin\AppData\Local\Temp\34a3631ae4d3df399c377497de406544ac4724afd19efbc7bac249b42d13e355.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\Cddjebgb.exe
  C:\Windows\system32\Cddjebgb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\Ceegmj32.exe
    C:\Windows\system32\Ceegmj32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cddjebgb.exe

Filesize
1.6MB

MD5
1ed555e63dc6677b6524568ee9618db3

SHA1
d2f8b3bb047e2972041c2fda19066fdc186d3f32

SHA256
2503de9c7fc545647f347d73069c3b6672b03786eb9340a5c516a6cf120283a9

SHA512
bee3b2b68645a9f788178117ac70bcb08a3e1675deb0f89f12aa2c7ffd35faad00b4239a51ee84749b90839a4011c430edc6e9230d17b92949e612a6f8a7cb15

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
1.6MB

MD5
3bf620e87c3d7a5a05f834f13110a191

SHA1
7d83133bfa614af1fe9b861b2d652e5cd366c2de

SHA256
8309854b03dc7479d9137f5c8d79a044492bf291e9e205fe1e85c12be335b44b

SHA512
d0318828171dbefc51fc156ee09c521d55fd7c7fad458c07f7d18346e7a1f1aeb70d820136137a03485e03d2c3809bbbcb3f57d2d29fe45e9afacadd52412888

Download Submit
memory/2140-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-17-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2296-25-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2296-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads